Friday, November 30, 2012

When the New York Times released its story that some of the Syrian government's websites were hosted outside of Syria, I wasn't surprised to see SoftLayer Technologies as one of the hosts. They are also the company that hosted StopGeorgia.ru, the Russian forum which coordinated many of the cyber attacks against Georgian government websites during the Russia Georgia war (2008).

Other U.S. ISPs in addition to SoftLayer who are hosting Syrian government websites in violation of an Executive Order by President Obama (EO 13582) are HostDime.com, WeHostWebSites.com, 383Inc., HopOne, Net2EZ, Tiggee, and PEER 1. Of those seven, HostDime and Softlayer are consistently among the world's 50 worst hosts for serving malicious content.

Furthermore, this isn't the first time that Softlayer and the other offending ISPs learned of their violation of EO 13582. CitizenLab first created their report The Canadian Connection: An investigation of Syrian government and Hezbullah web hosting in Canada in November 2011. A blog posting by HostJury.com shows that SoftLayer didn't respond to their inquiry back then and still hasn't. A spokesperson for HostDime responded on the HostJury blog last November by saying "We are currently aware of all OFAC (Office of Foreign Assets Control) rules and regulations and continue to comply and monitor to the best of our ability." Since they have continued to hosting a Syrian government website (MOW.GOV.SY) more than a year ago and have done nothing about it, they and the other ISPs involved are knowingly in violation of EO 13582.

In my opinion, these ISPs need to be federally bitch-slapped for this. I hope that one or more of my federal government readers takes the hint and sets a much-needed example with HostDime, SoftLayer and the others.

UPDATE (30NOV2012 0634PST): VF (Vicki Fraser) of HostDime (@HostDime) responded to me on Twitter shortly after I published this article: "We do not host any Syrian websites and are not in violation of federal sanctions. ^VF". Say, Vicki. Do you know how to use ROBTEX?

VF responded via Twitter: "@jeffreycarr it is hosted within our datacenter but not by us, we've reached out to our direct client expressing our concerns ^VF".

UPDATE (30NOV2012 0829PST): @HostDime announced via their Twitter feed: "@jeffreycarr Update: Our client (the host of the Syrian site) has taken action and taken the site offline. ^VF"

Monday, November 26, 2012

I've spent the last week trying to find a way to support an SAS sniper who's been unjustly jailed in Britain over a handgun possession charge. The article that I wrote about it is now up at SOFREP.com. Please read it, sign the petition, and make a donation to help Sgt. Nightingale and his family through this very difficult time.

On Feb. 8-9, 2013, up to 100 people including some of the world's leading experts in law, incident response, reverse-engineering and intelligence will meet in Washington DC to debate the topic: "Private Companies should be Authorized to take Measured Offensive Actions against Attackers". The list of speakers includes CrowdStrike's Dmitri Alperovich, Mandiant's Richard Bejtlich, Microsoft's Dave Aucsmith, Dambala Labs' Gunter Ollmann, CrySys Labs' Boldi Bencsath,ReVuln's Donato Ferrante, INTERPOL's new Digital Crime Center's director, the ITU's Marco Obiso, The Grugq, The Jester, and many more.

The Agenda of Suits and Spooks DC will feature the most intriguing panel discussions every held on the highly controversial issue of "striking back" at those responsible for cyber attacks as well as how offensive markets for malware are changing the world of vulnerability exploits. The second day will include breakout sessions as well as an afternoon debate between two teams consisting of 12 volunteers from our attendees along with time for research and strategizing over a working lunch.

12 attendees will volunteer to debate the proposition (6 per team). The working lunch will be spent dividing into teams and assisting the debaters in preparing research and debate strategies.

2:00pm - 3:30pm: Debate the Proposition "Private Companies Should be Authorized to Take Measured Offensive Actions Against Attackers"

The debate will be judged by a panel of 5 of our speakers

3:30pm - Closing Remarks

The Waterview Conference Center is one of Washington D.C.'s most beautiful and exclusive facilities but it has a capacity of only 100 people so don't miss out. Register today and be a part of one of 2013's most important events.

We are also still looking for companies to join Basis Technology in sponsoring this important event. Please contact me for more information.

Wednesday, November 21, 2012

The government of France shouldn't be so quick to charge the U.S. with being responsible for the Flame malware found on President Sarkozy's computer. Kaspersky Lab had remarkably little evidence to support their charge that it was created by the team that created Stuxnet and Duqu, and CrySys Labs said that it probably wasn't created by the Stuxnet/DuQu team.

Further, France is in no position to throw stones. It's use of cyber espionage operations is well-known inside the U.S. Intelligence Community as well as by the German gov't who consider them a more severe risk to intellectual property theft than Russia or China. France's state-owned energy firm EDF also conducted cyber espionage attacks against Greenpeace.

Friday, November 16, 2012

A Middle East faction of Anonymous has taken the side of the Palestinian settlers in Gaza and announced that it would be attacking Israeli government websites. One of them belonged to Israel's Air Force according to this tweet:

Screenshot captured on 11/16/2012 0658 PST

Screenshot captured by AnonymousSky and referenced in the above tweet

In less than two days after Israel launched Operation Pillar of Defense (the English version of the more obscure Pillar of Cloud designation), civilian supporters on both sides of the conflict have begun launching cyber attacks against key websites (see my original post on this conflict). 88 defacements have been posted to Pastebin today and much more are expected to occur.UPDATE 16NOV12 0944PST: The following Israeli gov't websites have been attacked by Anonymous per @AnonymousSKY:

Israel Security Agency (Shabak.gov.il)

Ministry of Justice (Justice.gov.il)

@YourAnonNews has reported that cyber attacks from pro-Israel hackers have impacted VoxAnon - an IRC network popular with Anons.

Thursday, November 15, 2012

Israeli Defense Forces have been engaged in missile attacks against Hamas targets in Gaza off and on for about a month, however it has escalated in the wake of the killing of Ahmed Jabari, Hamas’ military chief of staff on November 14, 2012. Hamas has announced at least 8 deaths since Israel launched Operation Pillar of Cloud (aka Pillar of Defense), which has primarily involved missile attacks from both sides and the campaign is intensifying.

Operation Pillar of Cloud is reminiscent of Operation Cast Lead which occurred during December '08 - January, '09, however Cast Lead had a widely publicized cyber component in which tens of thousands of attacks were launched by Israeli and Arab hackers against government websites and communications infrastructure on both sides. To date, no such action has been publicized short of an Information Operation being conducted on Twitter between the IDF and the al-Qassam Brigades.

However, back in October when the missile attacks first began, the IDF announced that it was stepping up its recruiting efforts for computer-savvy soldiers. This announcement came the day before the IDF was to hold an awards ceremony honoring 12 soldiers "engaged in the army's cyber-defense activities". I checked on the likelihood that offensive cyber operations by the IDF would be included in Operation Pillar of Cloud with retired Mossad officer, Michael Ross, who told me that it's safe to say that "every IDF operation includes cyber network attacks of a greater or lesser scale."

Finally, there's this announcement which appeared today on Twitter:

While it's too early to know for sure the scale of cyber warfare running concurrently with this operation, one thing is certain. The Middle East is proving to be the best practical "lab" there is for studying what does and doesn't constitute acts of cyber warfare.

UPDATE 15NOV12 1728PST: Anonymous aligns itself with Gaza and against the IDF:

[W]hen the government of Israel publicly threatened to sever all Internet and other telecommunications into and out of Gaza they crossed a line in the sand. As the former dictator of Egypt Mubarack learned the hard way - we are ANONYMOUS and NO ONE shuts down the Internet on our watch. To the IDF and government of Israel we issue you this warning only once. Do NOT shut down the Internet into the "Occupied Territories", and cease and desist from your terror upon the innocent people of Palestine or you will know the full and unbridled wrath of Anonymous.

UPDATE 15NOV12 1110PST: Evan Kohlmann (@IntelTweet) posted via Twitter today: "Hackers in Gaza have leaked 35,000 credit card numbers of "Zionist civilians" as a "response from the lions to the aggression of the Jews."

Tuesday, November 13, 2012

The recent incident involving the release of Skype user data to law enforcement by iSight Partners raises serious due process questions; especially considering the rapid growth of the cyber intelligence sector. iSight Security, Inc. dba iSight Partners is a privately owned cyber intelligence firm based in Dallas, TX that was founded by John Watters after he sold iDefense to Verizon. According to their website, the company provides insight into malware actors and threats to their corporate and government clients.

Two of iSight's corporate clients are PayPal and Microsoft's Skype. According to the Dutch journalist who broke the story, PayPal hired iSight to investigate Anonymous after it coordinated DDoS attacks against it in protest to PayPal's blocking payments to Wikileaks in 2011. In the course of doing work for PayPal, iSight discovered the alias of a person who they believed was a member of Anonymous and found that it matched a Skype name. An iSight employee then contacted Skype, another client company of iSight's, and asked for the user data that accompanied the Skype name. Skype complied since it had a contractual relationship with iSight.

NOTE: Apparently if you're a Skype customer, your data can be shared with any other company that partners with Skype per its Privacy policy:

Except as provided below, Skype will not sell, rent, trade or otherwise transfer any personal and/or traffic data or communications content outside of Microsoft and its controlled subsidiaries and affiliates without your explicit permission, unless it is obliged to do so under applicable laws or by order of the competent authorities.

Skype may disclose personal information to respond to legal requirements, exercise our legal rights or defend against legal claims, to protect Skype’s interests, fight against fraud and to enforce our policies or to protect anyone's rights, property, or safety.

Either Skype sees its relationship with iSight as an affiliate or it sees its sharing of info as a way to protect its interests. Either way, it completely bypasses the necessity for a warrant. However, iSight turned that protected information over to the Dutch authorities without being presented with a warrant or having been part of any due process to protect the Dutch citizen's rights.

I understand from a confidential source that Skype (or possibly Microsoft) is investigating iSight's actions in that regard to ensure that it never happens again. This could be especially damaging to Microsoft since it's already on the EU's radar from past legal disputes regarding anti-trust matters. Although I've tried to get iSight to comment on this incident, no one from the company has replied to my email requests.

UPDATE (13 NOV 2012): The larger issue is the question that iSight refuses to answer. Does iSight co-mingle this type of data between client companies and share it with law enforcement or other government organizations thus bypassing privacy rights in the U.S., E.U. and elsewhere?

Anonymous has been able to exfiltrate a second, smaller batch of documents from OSCE's webserver (OSCEPA.AT) on November 11, 2012; even after the company knew that they had been attacked. This second batch of documents contains up-to-date information on the OSCE's Internal Working Group 1039 whose mandate (.pdf) is to create cyber security Confidence-Building Measures (CBMs) that would reduce the risk of cyber conflicts. The chairman of the IWG 1039 is U.S. Ambassador Ian Kelly.

The latest revised draft set of CBMs was circulated in a document marked RESTRICTED among IWG 1039 members on November 7, 2012 in preparation for their meeting today, November 13, 2012 in Dublin. They are as follows:

Participating States will voluntarily provide their national views on some aspects of national and transnational ICT security. These may include, but are not necessarily limited to, views on doctrine; strategy; norms; lessons learned; real and potential threats; protective measures; concepts of operating in cyberspace.

Participating States will voluntarily share information on national organizations, programmes, or strategies relevant to their ICT security. This information will include the organization of the structures and a description of their mandate. Participating States will nominate a contact point to facilitate communications and dialogue on ICT-security matters.

Participating States will voluntarily provide contact details of existing official national Computer Security Incident Response Teams (CSIRTs), or equivalent official national structures, so that national experts can enter into a direct dialogue. Participating States will update contact information annually but in any event no later than thirty days after a change has occurred.

In order to reduce the risk of misunderstandings in the absence of agreed terminology, participating States will on a voluntary basis provide a list of national terminology related to ICT security accompanied by an explanation or definition of each term. It will be for each participating State to select those terms they deem most relevant for sharing.

Participating States will voluntarily exchange views on how existing OSCE mechanisms, such as the OSCE Communications Network, maintained by the OSCE Secretariat's Conflict Prevention Centre, could be used to facilitate communications regarding incidents involving ICTs, (e.g. establishing protocols to ensure rapid communication at high levels of authority, to permit concerns to be raised at the national security level.)

Participating States will, at the level of national experts, meet at least three times each year, within the framework of the Security Committee and its Informal Working Group established by PC Decision 1039 to discuss information exchanged and explore appropriate development of this initial list of confidence building measures as well as others that might be candidates for future consideration.

This set of draft CBMs are for discussion by the members. One of the documents included in the latest batch (Comments_AZE_IWB_1039.doc) offers comments from the delegation of Azerbaijan and Lithuania who both want to considerably beef up the language with a few intriguing suggestions:

General comment: Proposed list of CBMs, in general is not result-oriented and does not identify any imperative actions. All proposed CBMs are based on voluntary actions and most of them are already carried out by pS through other various international and regional organizations. We need some more concrete actions that define the responsibilities of the Participating States for the incidents stemming from the use of ICTs.

Specific comments:

Support the proposal made by Lithuania to add the following CBM to the list: “Participating States will refrain from directing malicious cyber activities against critical infrastructure vital to the wellbeing of civilians, such as telecommunications, energy, transportation and financial systems”;

We support the following proposal made by Lithuania, as well: “Participating States will accept responsibility for their national cyberspace jurisdictions”.

Moreover, in addition to the CBMs defining the responsibilities of the states for their actions in the cyber-space, it is very important to identify also the responsibilities of the States over their ICT companies to act in accordance with national legislation of other Participating States.

The concept of a nation state being held responsible for attacks emanating from servers within its borders has come up for discussion within U.S. DoD too. It would certainly make attribution a lot easier if we could simply point to the geolocation of an IP address and say case closed. Unfortunately, that's a completely unrealistic scenario since Internet Service Providers aren't regulated entities and because web servers are easy to compromise (i.e., OSCEPA.AT).

Most of the suggested CBMs are voluntary and fairly ineffective even if put into practice. That's probably due to the fact that the membership of this committee is heavily loaded with policy makers and lawyers and has very few technologists or security engineers. The attack that was levied against the OSCE by Anonymous was apparently of the same variety that its members prefer - looking for easy pickings against poorly-protected web servers. The first confidence building measure that these OSCE national experts should draft is to invoke an Assumption of Breach security framework. In other words, expect to be breached and keep your sensitive documents in a separate, controlled and monitored environment ; i.e., not on a web server.

Friday, November 9, 2012

The Organization for Security and Cooperation in Europe decided in 2011 to take on cyber security as one of its missions. The reality of threats in cyber space for the OSCE has become even more real now that their internal network has been breached in early November, 2012 by an unknown person or persons and the stolen files uploaded to Par-AnoIA.net. There has been no public acknowledgment from the OSCE that they have even had a breach. Frane Maroevic, Deputy Head of Press and Information for the OSCE told me in an email that "We condemn any illegal publication of confidential documents and will not comment on any such material."

The documents that Anonymous have posted are clearly genuine although it isn't known how they were obtained nor has anyone claimed responsibility for the attack. In addition to election monitoring reports and briefing books for Ukraine, Bosnia and the United States, there are internal RESTRICTED documents as well as emails and contact lists whose contents could be leveraged by bad actors to target members of OSCE and others with spear phishing or other types of targeted attacks.

Several of the documents referred to the "Informal Working Group Established Pursuant to PC Decision 1039" along with a list of its members. The purpose of this group is to establish "a breakthrough on Confidence Building Measures (CBM) designed to enhance cyber security. Our goal must be to maintain the momentum so as to outline a set of Confidence Building Measures in time for adoption at the Ministerial Council in Dublin." I asked Mr. Maroevic if he saw the value in demonstrating such CBMs right now in the face of their own breach. As of the time of this posting there's been no response from Mr. Maroevic.

The Dublin Council meeting mentioned in that document is scheduled to meet on December 6-7, 2012, however a captured Bi-weekly work schedule shows a meeting of the 1039 Working Group happening in Ireland on November 13, 2012 at 15:00. I expect this incident will be the highlight of their meeting especially since the names and email addresses of all of the members were part of the collection of documents posted to Par-AnoIA.net.

I'll update this post with any new developments from OSCE and/or from our examination of the documents.

UPDATE (09NOV12 2314GMT): A source representing Anonymous has claimed credit for the attack against OSCE. They breached the oscepa.at server which is the OSCE Parliamentary Authority hosted by Telekom.at; an Austrian service provider. The attack vector was not revealed although it may have been SQLi or perhaps an employee was compromised via a malicious payload delivered in a .pdf attachment.

Mr. Maroevic told me after my original article was posted that due to the sensitivity of the issue, the OSCE was unable to comment any further.